Proxy
New Webster’s Dictionary of the English Language defines proxy as “the agency of a person
who acts as a substitute for another person; authority to act for another.” Although this
definition does not define a proxy firewall, the function is very similar.
A proxy firewall, commonly called a proxy server, acts on behalf of hosts on the protected
network segments. The protected hosts never actually make any connections with the outside
world. Hosts on the protected network send their requests to the proxy server, where they
are compared to the rulebase. If the request matches a rule within the rulebase and is allowed,
the proxy server sends a request on behalf of the requesting host to the external host and
forwards the reply to the requesting host.
Proxies run at the upper layers of the OSI reference model. Once again, the connections are
established between the network and transport layers; however, the application proxy then
examines the request at the upper layers while verifying the request against the rule set. If the
traffic meets the requirements of the upper-layer inspection and is verified against the rule set,
the proxy firewall creates a new connection to the destination.
Using the OSI reference model, Figure 2-2 depicts how traffic passes through a proxy firewall
from the source to the destination.
Most proxy firewalls are designed to cache commonly used information to expedite the
response time to the requesting host. Application proxies tend to be very secure because the
packets are inspected at all layers, but performance can suffer for the same reason. The
processing workload required to perform proxy services is significant and increases with the
number of requesting hosts.